Review of Compliance at the Government Communications Security Bureau

Transcription

1 Review of Compliance at the Government Communications Security Bureau Rebecca Kitteridge, March 2013

2 This page intentionally left blank. 2

3 Contents Executive summary... 5 Summary of key recommendations... 9 Introduction Background and context The New Zealand Intelligence Community My approach to the review Legal issues identified during the review Structure of the report Part I: Compliance frameworks Assessing and identifying compliance obligations Supporting compliant behaviour and preventing non-compliance Monitoring compliance and detecting non-compliance Responding to non-compliant activity External reporting Measuring Improving Part II : Organisational factors that have contributed to GCSB s compliance problems Introduction GCSB s organisational structure Governance GCSB s culture Information management at GCSB Capability and capacity issues within GCSB Conclusion Appendix 1 - Consolidated recommendations Appendix 2 - Compliance review terms of reference Appendix 3 - List of people spoken to Appendix 4 - Written material referred to in the course of the review Appendix 5 - Legal issues identified in the course of the review Appendix 6 - Consolidated database Appendix 7 - Internal audit 3

4 This page intentionally left blank. 4

5 Executive summary 1. The Government Communications Security Bureau (GCSB) plays a vital role in New Zealand s security by obtaining, providing and protecting sensitive information. The time I have spent within GCSB has left me in no doubt that New Zealand needs this organisation now more than ever. The increasing threat of cyber attacks and the protective role GCSB plays is one part of this story, but GCSB does a wide range of other things that are essential to the well-being of New Zealand. 2. It is, however, vital that an organisation that exercises intrusive powers of the state does so in a way that is entirely lawful. Where a state organisation s internal operations must necessarily remain secret, because of their sensitivity, there need to be robust internal systems and effective external oversight so that the public can be confident in the lawfulness of those operations. 3. Concerns were raised about legal compliance within GCSB as a result of events involving Mr Kim Dotcom. I was seconded to GCSB to carry out a review of compliance systems and processes at GCSB, commencing on 2 October The review took six months. In the course of this review, I focused on two main areas: a. supporting the Director of GCSB to ensure that all of GCSB s activities were lawful, and in particular activities that the Director had directed be stopped at the end of September 2012, before they could be considered for resumption; and b. reviewing GCSB s compliance framework. 4. The Director was concerned to ensure that no other errors had occurred that were similar to that concerning Mr Dotcom. The Director s concern led to a number of other instances, in which GCSB had assisted domestic law enforcement agencies between 1 January 2009 and 26 September 2012, being referred to the Inspector-General of Intelligence and Security for review. Those cases were subsequently found to be lawful. 5. The review of activities that had stopped (involving assistance to other domestic agencies) led the Bureau to seek legal advice from the Crown Law Office on a number of issues. In relation to some assistance that GCSB has provided to the New Zealand Security Intelligence Service and (more rarely) the Police since before the enactment of the GCSB Act 2003, the Solicitor-General confirmed the difficulties in interpreting the GCSB Act and the risk of an adverse outcome if a Court were to consider 5

6 the basis of that assistance. All relevant instances of assistance (concerning 88 individuals in total), dating between 1 April 2003 and 26 September 2012, have been identified and a report has been provided to the Minister Responsible for the GCSB, in parallel with this report, so that he can determine the appropriate action to be taken. 6. I conclude, in relation to this and other legal issues, and to ensure that GCSB can carry out its work in the future with a clear understanding of the law, that legislative clarification would be desirable. 7. The second limb of my review involved considering GCSB s compliance against a standard compliance model, involving the following cycle of activity: a. assessing and identifying legal compliance obligations; b. supporting compliant behaviour and preventing non-compliance (including internal guidance, procedures, internal audit, and external oversight); c. responding to non-compliant behaviour; d. external reporting; e. measuring; and f. improving. 8. Part I of this report sets out my analysis of GCSB s compliance activity against this standard compliance model. In all these areas of compliance significant opportunities for improvement are identified. I also recommend that external oversight of GCSB be strengthened. 9. In the course of this work I concluded that the issues identified in relation to compliance were symptomatic of underlying problems within GCSB, concerning GCSB s structure, management of its information, capability and capacity. Those issues are addressed in Part II of this report. 10. A consolidated table of recommendations is attached at Appendix 1. If implemented, the changes I recommend will constitute a considerable change programme, which in my view will take more than one year to complete. It is important to note that my report represents a snapshot in time, and that a number of recommended changes have already been made or are in train. 6

7 11. Throughout my time at GCSB the staff with whom I spoke consistently expressed their commitment to the rule of law. It is my strong belief that when GCSB has addressed the issues raised in this report, it will not only be an organisation that continues to provide great public value, but also an institution in which the public can have trust and confidence. Rebecca Kitteridge 22 March

8 This page intentionally left blank. 8

9 Summary of key recommendations I recommend that: 1. Legislative reform be considered, to clarify the application of the GCSB Act 2003 to GCSB s work; 2. GCSB implement a compliance framework, which will include: a. systems for assessing and identifying compliance obligations; b. risk assessment, accessible and authoritative guidance, clear procedures and training to support compliant behaviour and prevent non-compliance; c. monitoring compliance and detecting non-compliance, through targeted internal audit and robust external oversight; d. explicit and escalating internal responses to non-compliant activity; e. external reporting on compliance breaches to the Inspector-General of Intelligence and Security (IGIS), and on compliance statistics to the Intelligence Security Committee and to the public through the GCSB Annual Report; f. systems to measure the organisation s compliance state against explicit objectives, and to track trends; g. regular review of the compliance systems in light of compliance performance, in order to achieve continuous improvement; 3. policy work be undertaken with a view to strengthening the Office of the IGIS, including broadening the pool of candidates, increasing the resources and staff supporting the IGIS, and making the work programme, audits and reporting expectations of the IGIS more explicit; 4. organisational factors that have contributed to GCSB s compliance issues be addressed, including; a. reorganising GCSB in a simpler, less fragmented way; b. reducing the number of small units and managers; c. centralising some key roles and giving them Bureau-wide reach; d. avoiding single points of dependence; 9

10 e. reconfiguring and strengthening the compliance and operational policy resources; f. strengthening the legal resource, and considering including it in the Intelligence Community Shared Services; g. providing greater support to GCSB s Strategic Leadership Board so focus is on strategy, risk, workforce capability, etc; h. improving performance management practices; i. facilitating internal and external rotations and secondments; j. appointing a professional Information Manager and addressing information management issues; k. Strengthening the relationship with the Crown Law Office, and other relevant government agencies. 10

11 Introduction Background and context 1. GCSB plays a vital role in New Zealand s security by obtaining, providing and protecting sensitive information. Some people will always be uncomfortable with the notion of intelligence organisations. Organisations of this kind, however, are found in every like-minded parliamentary democracy. In New Zealand, Parliament has placed GCSB on a statutory footing, and has set out its objectives and functions in the GCSB Act The GCSB Act reflects the fact that GCSB has two main functions: information assurance (increasingly focused on protection against cyber attacks) and obtaining foreign signals intelligence ( SIGINT ). 3. Successive administrations have valued what GCSB provides and have supported its work. Over many years GCSB has given information to governments to support well informed policy decisions. It has protected New Zealand government communications and (increasingly) New Zealand s critical infrastructure and intellectual property. GCSB s work has helped to save lives and has contributed meaningfully to global security. 4. The time I have spent within GCSB has left me in no doubt that New Zealand needs this organisation now more than ever. The increasing threat of cyber attacks and the protective role GCSB plays is one part of this story, but GCSB does a wide range of other things that are essential to the well-being and prosperity of New Zealand. GCSB is also highly regarded by counterpart agencies for the contribution it makes to international security. It is a great pity and quite a big problem for GCSB, in terms of public attitudes that security considerations prevent this positive story from being told in more detail. 5. The reason I start this report with these comments is that they provide an important backdrop to this review, which has a narrow focus on compliance. The broader story cannot be included. It is my strong belief that when GCSB has addressed the issues raised in this report, it will not only be an organisation that continues to provide great public value, but also an institution in which the public can have trust and confidence. 11

12 The New Zealand Intelligence Community 6. The core New Zealand Intelligence Community (NZIC) comprises GCSB, the New Zealand Security Intelligence Service (NZSIS), and parts of the Department of the Prime Minister and Cabinet (DPMC). The individual agencies, and the NZIC collectively, have been the subject of scrutiny, both legislative and administrative, over many years. Recent years have seen a number of reviews and improvements: a. In June 2009 Cabinet initiated a review of the intelligence agencies, which was conducted by Simon Murdoch on behalf of the State Services Commissioner. The review proposed a number of initiatives to improve efficiency and co-ordination of the NZIC. The review also recommended strengthening governance, management and co-ordination arrangements, including adding a governance arm to the Officials Committee for Domestic and External Security Co-ordination (ODESC(G)). b. Michael Wintringham led a review entitled A National Security and Intelligence Framework for New Zealand in September The review considered the NZIC s role in supporting a national security system. There is now a much more systematic framework for examining national security risks and prioritising work to mitigate them, including the NZIC s roles of watch and warn, reducing vulnerability, and developing counter-measures. 7. There is no doubt that these reviews resulted in a better co-ordinated, more effective, more efficient and accountable NZIC. Real change has been evident in the way that the community operates as a collective, resulting in better use of scarce resources in the interests of New Zealand s national security. The fact that my review identifies issues and recommends changes concerning compliance at GCSB should be seen in a larger context of very significant, ongoing efforts to improve the performance of the NZIC as a whole. My approach to the review 8. My review was not an inquiry. It is true that it was initiated as a result of the events following the discovery that GCSB had unlawfully intercepted the communications of Mr Kim Dotcom. I was not, however, asked to investigate those events. I was asked by the Director of GCSB and the Chief Executive of the Department of the Prime Minister and Cabinet to accept a secondment to GCSB, in order to provide the Director with assurance that GCSB s activities are undertaken within its 12

13 powers and that adequate safeguards are in place. In particular, I was asked to: a. review the systems, processes and capabilities underpinning the GCSB s collection and reporting; b. build capability and provide assurance to the GCSB Director that the compliance framework has been reviewed, improved and is fit for purpose; c. establish new, specific approval processes for activity in support of the Police and other law enforcement agencies. 9. It should be noted that my review was focused on GCSB s operations and whether there are systems in place to ensure the lawfulness of those operations under relevant New Zealand and international law. I did not review other aspects of compliance such as financial systems, security, or the way in which GCSB works with agencies internationally. 10. I commenced the secondment on 2 October 2012, for an initial period of up to three months (later extended to the end of March 2013). The full terms of reference for this review were developed after my arrival, and are attached as Appendix Despite the fact that the organisation was under considerable stress when I arrived, I found that staff were very welcoming. In the course of the review I spent many hours interviewing GCSB staff; during that process I talked to well over one hundred of them. They were open, nondefensive and helpful. It was clear that they take their special roles seriously and are deeply committed to protecting and advancing New Zealand s interests in accordance with the government s priorities. They universally expressed their commitment to comply with the law as they understood it. They were frank with me that they thought their compliance systems and processes could be improved, and made useful suggestions as to how. This review reflects what they told me. A list of the teams that I spoke to is included in Appendix I visited the intelligence and security organisations in Australia (in particular, the Defence Signals Directorate, or DSD) and the United Kingdom (in particular, the Government Communications Headquarters, or GCHQ), to discuss compliance processes and systems in those organisations. A list of the agencies I visited is included in Appendix I also read a considerable amount of background material, listed in Appendix 4. 13

14 14. While I was conducting the review, I was also supporting the Director to implement change and improvements. It is therefore important to note two things in relation to this report: a. it represents a snapshot in time; b. action to remedy many of the issues identified in this report is already underway (and in some cases is complete). 15. The findings in this report are specific to GCSB, and nothing should be extrapolated from it with regard to other parts of the Intelligence Community. 16. As a final introductory point, I would note that although I have completed the tasks envisaged in paragraph 8(a) and 8(c) above, I have not been able to complete the work contemplated in paragraph 8(b) (i.e. to build capability and provide assurance to the GCSB Director that the compliance framework has been reviewed, improved and is fit for purpose). There are underlying issues that need to be addressed before those matters can be resolved (as discussed in Part II of this report). The changes required will take a considerable effort, which I estimate will take a team more than one year to implement. The recommendations in this report, once implemented, however, will result in an improved compliance framework that is fit for purpose. Legal issues identified during the review 17. When I arrived at GCSB I found that, in response to the error regarding Mr Dotcom, the Director had taken a very conservative stance as to the activities GCSB was undertaking. On 26 September 2012, he had directed that almost all GCSB support for domestic agencies was to cease with immediate effect. The Director had stated that the cessation of support would continue until he was satisfied that GCSB had interpreted all the relevant legal issues correctly. 18. The Director was also concerned to ensure that no other errors had occurred that were similar to that concerning Mr Dotcom. On 3 October 2012 (taking account of the Inspector-General s initial findings in respect of Mr Dotcom) the Director invited the Inspector-General of Intelligence and Security to review the three other cases in which assistance had been provided to law enforcement agencies in New Zealand since January 2009 that potentially involved New Zealand citizens or permanent residents. The Inspector-General was also invited to review all the other cases of GCSB assistance to those agencies during the same 14

15 period. The Inspector-General subsequently concluded that none of these cases was in breach of GCSB s legislation. 19. While that process was continuing, other assistance to domestic agencies remained stopped. The conservative approach taken by the Director turned out to be well justified. As the newly arrived lawyers (on secondment from Crown Law) and I commenced our work, we encountered difficulty in applying aspects of the GCSB Act to some of the activities of GCSB that had ceased. Most of the difficulties were connected with section 14 of the GCSB Act, which provides that GCSB may not take any action for the purpose of intercepting the communications of a person who is a New Zealand citizen or a permanent resident. 20. Consideration of this prohibition, which is stated in absolute terms, raised questions regarding some long-standing (and in my view uncontroversial) practices: a. If GCSB wanted to test new equipment, could it do so in New Zealand? Would section 14 be breached, even if mitigating steps were taken such as choosing a remote location and intercepting the communications of GCSB employees who had volunteered to participate in the testing? Or would GCSB have to test the equipment overseas, at some considerable cost? b. Similarly, questions were raised about the application of section 14 to the information assurance function of GCSB. If, for example, a government agency requested GCSB to analyse the agency s network in a case of a suspected malware attack, could GCSB help? If not, how could GCSB carry out this aspect of its important protective function? 21. Determining these and other similar questions involved analysis of the word purpose in section 14 and other legal interpretation points. In some cases the activity resumed, on a best interpretation basis, but with acknowledgement that the current wording of the Act is not completely clear in its application. 15

16 22. Other activities, reflecting long-standing assumptions about the application of the Act over the course of successive administrations, were not resumed. The most significant of these concerned the exercise of the function spelled out in section 8(1)(e) of the GCSB Act, which states as one of the Bureau s functions: to co-operate with, or to provide advice and assistance to, any public authority 23. The internal legal advice at GCSB (as reflected in its internal guidance) had been that it was lawful for GCSB to assist domestic agencies such as the NZSIS or the Police, under this provision, in two circumstances: a. Firstly, it was long-standing practice going back to before the enactment of the GCSB Act in 2003 for GCSB to provide assistance (i.e. its specialist capabilities) to the NZSIS on the basis of NZSIS warrants. The clear understanding within GCSB was that in such cases section 14 did not apply because GCSB was acting as the agent of the requesting agency and was therefore operating under the legal authority of the warrants. If the NZSIS, with the authority of an intelligence warrant, requested GCSB to provide assistance in cases involving New Zealand citizens or permanent residents, GCSB provided that assistance. b. The second situation involved metadata (information about information; for example, the kind of information that appears on a telephone bill). The understanding within the Bureau (as reflected in its internal guidance) was that metadata was not a communication for the purposes of the prohibition expressed in section 14 of the GCSB Act. It was the view within GCSB that GCSB could, on request, lawfully obtain and provide information about metadata involving New Zealanders, without the authority of a warrant, in accordance with its function of co-operating with and providing assistance to public authorities. 24. I do not want to suggest that GCSB was in the business of routinely providing assistance to domestic agencies in cases involving New Zealanders, because that is not the case. GCSB is first and foremost a foreign intelligence organisation, and foreign intelligence is by far its greater focus. Most of the support provided to domestic agencies concerned non-new Zealanders. From time to time, however, in the two circumstances set out in the previous paragraph, GCSB provided its specialised assistance to New Zealand agencies in cases involving New Zealand citizens or permanent residents, in the belief that the assistance was provided lawfully. The assistance was provided to NZSIS to help combat threats to New Zealand s security in areas such as counter- 16

17 terrorism. The procedures for providing such assistance were carefully spelled out in GCSB s internal guidance, and compliance with that guidance was monitored. 25. In the course of this review, a question arose about whether these longstanding interpretations of the law were correct. The Inspector-General of Intelligence and Security had asked the Directors of GCSB and NZSIS the same question at the end of May 2012, and the issue had been the subject of some legal analysis and correspondence, but the matter had not been resolved and in any event assistance to domestic agencies had ceased on 26 September In October 2012 the Director of GCSB sought an opinion from the Solicitor-General on the question of whether the authority of a NZSIS warrant would override the prohibition in section 14. The Solicitor-General confirmed the difficulties of interpretation and the risk of an adverse outcome if a Court were to consider the question. (I refer to the Solicitor-General s opinion in only general terms since that advice is subject to legal professional privilege and the Attorney-General does not intend to waive that privilege.) 26. It should be noted that all of NZSIS s domestic intelligence warrants are issued jointly by the Minister in Charge of the NZSIS and the Commissioner of Security Warrants, and that it is a function of the Commissioner (who is required to be a former High Court Judge) to advise the Minister in Charge of the NZSIS on applications for domestic intelligence warrants, under section 5A of the New Zealand Security Intelligence Service Act All of those warrants were also subject to review under section 11(d) of the Inspector-General of Intelligence and Security Act 1996 by successive Inspectors-General of Intelligence and Security, a role that is also required to be held by a former High Court Judge. The Inspector-General of Intelligence and Security and the Commissioner of Security Warrants have recently each been invited to consider the legal issue concerning the effect of section 14 of the GCSB Act 2003 in relation to domestic intelligence warrants. Each has reached a conclusion similar to that of the Solicitor-General. The fact that the issue had not been identified during the preceding ten years (except for the question raised by the Inspector-General of Intelligence and Security in May 2012) reinforces the point that the interplay between the two Acts is not straightforward. 27. The legal reasoning applies by extension to GCSB s assistance to the New Zealand Police on the basis of Police warrants, although that assistance was in practice much rarer. 17

18 28. There was a similar outcome in relation to metadata. On review, it appeared that metadata would be likely to constitute a communication (as defined in the GCSB Act) for the purposes of section The consequence of these developments is that the lawfulness of some of GCSB s past assistance to domestic agencies is now called into question. In relation to NZSIS, the relevant period is between 1 April 2003, when the GCSB Act came into force, and 26 September 2012, when such assistance ceased. During that period GCSB provided 55 instances of assistance to NZSIS, which potentially involved 85 New Zealand citizens or permanent residents. In relation to the New Zealand Police, the relevant period is between 1 April 2003 and 1 January 2009, because (as already noted) every case of assistance to Police after that date has already been investigated by the Inspector-General of Intelligence and Security and determined to be lawful (with the exception of the case involving Mr Dotcom and his associate). During the relevant period, GCSB provided assistance to the Police in one instance, which potentially involved three New Zealand citizens or permanent residents. 30. It is not known as at the date of this report how many of these instances of assistance might ultimately be determined to have been undertaken in a way that is inconsistent with the GCSB Act, as there are a number of factors to consider in making that kind of determination. 31. Since becoming aware of these issues, the Director of GCSB has: a. confirmed that no assistance involving New Zealand citizens or permanent residents, even on the basis of warrants, will resume in the absence of a legislative amendment; b. ensured that all cases where GCSB s assistance is now open to question have been identified; and c. reported to the Minister Responsible for the GCSB on the matter, so that the Minister can determine the appropriate action to be taken. 32. Other (less significant) legal issues were also considered in parallel to my compliance review, with some interconnection between the two processes. A list of the legal issues considered in the course of this review is attached as Appendix 5, which is legally privileged and classified. Given the need to work carefully through the legal issues, and the complexity of the GCSB operation, the compliance review took longer than expected and my reporting deadline was extended to the end of March

19 33. Some legal issues were able to be resolved relatively quickly and the activity reinstated. Some issues required opinions from the Solicitor- General, which have either been provided or are pending. 34. What has also become very clear as a result of this process is that the GCSB Act is not (and probably has never been) completely fit for purpose. Legislative clarification would be highly desirable in a number of important areas where the Act is currently less than clear. That process will provide an opportunity for a public discussion about the powers and functions of GCSB, including the extent to which GCSB should be permitted to assist domestic law enforcement and security agencies, and (if such assistance is supported) under what legal constraints. I recommend that such legislative clarification be sought. Structure of the report 35. While this report acknowledges the legal issues found at GCSB, those issues are not the focus of the report. This report is concerned primarily with compliance systems and processes. 36. I conclude that the problems concerning compliance at GCSB are symptomatic of broader organisational issues. For this reason, my report is divided into two parts: a. the first part assesses GCSB s compliance activity against a standard compliance framework model; b. the second part considers what organisational factors may have contributed to GCSB s compliance problems. 19

20 Part I: Compliance frameworks Introduction 37. Legal compliance is an issue for every organisation. The level of effort and engineering that goes into compliance depends on the size and complexity of the organisation, and the type of risks it assumes. At one end of the scale, a one person start-up company may do the minimum to ensure that it complies with the law for example, paying GST. At the other end of the scale are complex organisations for which the consequences of getting things wrong are disastrous for example, because errors will result in loss of human life, or critical loss of reputation and public trust. Hospitals come into this category. 38. I would argue that GCSB too is at this high-risk end of the compliance spectrum. Its powerful capabilities and intrusive statutory powers may only be utilised for certain purposes. The necessarily secret nature of its capabilities and activities prevents the sort of transparency that would usually apply to a public sector organisation. It is therefore imperative that the public be able to trust that those exercising the powers are doing so only in the way authorised by Parliament. A robust compliance regime, including visibly demanding external reporting and oversight, should provide considerable assurance to the public. The standard compliance cycle 39. There is an abundance of literature and case studies available about compliance frameworks and how they apply. Regardless of the type of organisation, robust compliance frameworks tend to include a cycle of activities, as follows: Assessing and identifying compliance obligations: The first step in establishing a robust compliance framework involves assessing the operating and legal environment, identifying the relevant compliance obligations and setting out the compliance objectives. Supporting compliant behaviour and preventing noncompliance: Once the compliance environment has been assessed and identified, the focus should shift to prevention of noncompliant activity. This involves a significant investment, and 20

21 includes risk assessment, accessible and authoritative guidance, clear procedures, and training. Monitoring compliance and detecting non-compliance: Preventative systems and procedures are essential, but they will never be sufficient. It is important to be able to detect non-compliance (whether accidental or deliberate) by having internal compliance audits, and external oversight such as inspectors and ombudsmen. Responding to non-compliant activity: Where non-compliance is identified, there needs to be an explicit and escalating internal response that is universally understood and consistently applied within the organisation. The organisation s response should encourage self-reporting of errors, at one end of the scale, and contemplate full disciplinary procedures (including dismissal) at the other. External reporting: Where non-compliant activities have been identified and dealt with, they should be reported to the appropriate external authority and statistics made public. Such external reporting promotes accountability and public trust. Measuring: A robust compliance framework should include a reporting system that allows the organisation s compliance state to be measured against explicit objectives, and trends to be tracked. Information of this kind is invaluable in helping the compliance team (and ultimately the senior leadership team) to understand the compliance health of the organisation, to motivate the organisation to improve, and to promote external accountability and transparency. Improving: An organisation should have a compliance culture of continuous improvement. The compliance systems within the organisation need to be reviewed periodically in the light of compliance performance. 21

22 40. Ideally, these features of a compliance framework should operate in a cycle, as follows: Assessing and identifying Improving Supporting compliant behaviour Measuring Monitoring compliance and detecting noncompliance External reporting Responding to noncompliant activity Compliance framework at GCSB 41. GCSB does not have a comprehensive compliance framework of this kind. It does, however, have some features of a compliance framework. This review considers each aspect of a compliance framework as it applies at GCSB, and makes recommendations for improvement where applicable. 42. It is important to note that although GCSB is a complex organisation, it is relatively small. The implementation of these recommendations must not be so heavy-handed and bureaucratic that the organisation cannot function. It must, however, be effective. Organisational structure, governance, systems and culture are all critical to an effective compliance framework, as discussed in Part II of this report. Recommendations 43. I recommend that: a. a comprehensive compliance framework be developed for GCSB; b. the compliance framework be peer-reviewed by an external reviewer and implemented. 22

23 Assessing and identifying compliance obligations Best practice: The first step in establishing a robust compliance framework involves assessing the operating environment, identifying the relevant compliance obligations and setting out the compliance objectives. Assessing and identifying at GCSB 44. I have not seen any evidence of a systematic and ongoing process to identify relevant compliance obligations that apply to GCSB. I found: a. GCSB Act: Throughout GCSB there is a focus on the GCSB Act (as explained and interpreted through internal operational guidance) as the sole source of authority and law. Unfortunately, some aspects of the GCSB Act have recently been found to have been open to question or incorrectly applied since the legislation was enacted, as set out earlier in this report. Where appropriate, those matters have been referred to the Inspector-General of Intelligence and Security. In addition, policy work, led by DPMC, is underway to review unclear aspects of the GCSB Act and to recommend amendment. b. Other legislation: Other legislation relevant to GCSB has not been adequately analysed and considered in relation to its operation (for example, the Defence Act 1990 and the Privacy Act 1993), meaning that the organisation has been exposed to some legal risk; see Appendix 5 for details. These matters are subject to ongoing legal analysis. In addition, I did not find evidence of any system for scanning Bills or legislative amendments on a routine basis to assess the impact of those amendments on GCSB. A process has now been put in place to scan legislative amendments regularly. c. International law: I did not find any collection of relevant international conventions or treaties. In addition, over the years GCSB has entered into a number of Memoranda of Understanding (MOUs) with counterpart organisations overseas on matters of technical assistance, without reference to the Ministry of Foreign Affairs and Trade. These documents were intended by all parties to be non-binding arrangements, but some of them are written using treaty language, which may give the misleading impression that they are intended to have the force of international law. All documents of 23

24 this kind ought to have been discussed with the Legal Division at the Ministry of Foreign Affairs and Trade, to ensure that they had proper oversight, were written in a way that made their status absolutely clear, and followed the right process. Improved practices are now in place. d. Jurisprudence and the public law context: I have seen no evidence that significant judgments (such as the Supreme Court judgment in Hamed & Ors v. R (2011) NZSC 101) or other developments in the public law domain have been systematically assessed or analysed in terms of their potential impact on GCSB s operation. In addition, it does not seem that the person who was for some years the Bureau s sole legal advisor, the Deputy Director Mission Enablement (DDME), was well connected with the public law community. He was therefore not well placed to keep in touch with legal developments and public law jurisprudence in New Zealand. e. Technological developments: Technology is changing enormously quickly, with profound impacts on the techniques and tools utilised across the whole of the Bureau. Until recently, the nature of communications media being intercepted at various stages of GCSB s existence (high frequency radio, then microwave via satellite) meant that the communications being targeted for foreign intelligence purposes could mostly be readily distinguished and intercepted. That has largely changed with the technological switch to ubiquitous use of the Internet. The GCSB Act was intended to be technology-neutral and futureproofed, but with the benefit of hindsight it looks to be rather narrowly focused on the SIGINT function as it operated in Even though the Act is only ten years old, it has not kept pace with developments, especially in relation to information assurance and cyber security. Since 2003, the Bureau has continued to constantly innovate to stay at the cutting edge of technology, which is critical for its success. There does not, however, appear to have been a process for testing how the Act might be applied to new technology at the point that projects are starting. As at the date of this report, the reality is that the Act is difficult to apply to some of the Bureau s current operation or its intended future operation. Essentially the legislation is in need of amendment if GCSB is to continue to be effective. 24

25 f. Connection with the Crown Law Office: The Crown Law Office provides authoritative legal advice for the Crown, and it is very important for every public sector organisation to keep well connected with that Office. I was not able to find a collection of Crown Law opinions at GCSB, but the Crown Law Office sent over copies of all opinions they had provided to GCSB since According to Crown Law s records, 12 opinions were provided between 1988 and September 2012 (24 years), only three of which deal with operational (rather than corporate) matters. In the last six months the Bureau has obtained ten opinions from Crown Law on matters of substantive interpretation, and more are underway. 45. The above findings confirm that there was no systematic effort at GCSB to identify relevant compliance obligations. It is unsurprising in these circumstances that there was no attempt to set out compliance objectives or goals. Recommendations 46. I recommend that: a. an exercise be undertaken to assess relevant laws (including common law and international law) relevant to the Bureau and to ensure that current practice is consistent with the law; b. legal developments (new legislation, legislative amendments, relevant judgments) be systematically scanned to ensure that timely changes can be made at GCSB where necessary to ensure ongoing legal compliance; c. systems be established to ensure that all technological developments or material changes in practice or operation be assessed to ensure legal compliance; d. GCSB s in-house counsel be better connected with other public sector lawyers, including the Crown Law Office. 25

26 Supporting compliant behaviour and preventing non-compliance Best practice: Once the compliance environment has been assessed and identified, the focus should shift to prevention of non-compliant activity. This involves a significant investment, and includes risk assessment, authoritative and accessible guidance, clear procedures and training. Risk assessment at GCSB 47. A good compliance framework will be connected with an organisation s risk assessment framework. 48. GCSB has not always resourced a specific risk management position. Until recently, the Chief Financial Officer (who reported to the DDME) was responsible for risk management (among his other responsibilities). In early 2012 a Risk Management Advisor position was created at GCSB, and after some unavoidable delays the first holder of that position took up the role in September The Risk Management Advisor whom, I should emphasise, did not have an opportunity to address these matters before this compliance review started says that a good risk assessment framework would have identified compliance as a high priority, given the consequences of compliance failure in terms of impact on public trust, and the reputational and financial implications for the organisation. 49. The Bureau also has an Audit Committee, with an external chair. Included in its duties and responsibilities are risk management and internal control. When I arrived at GCSB, I learned that the Audit Committee had not met since June I understand that GCSB had quite an unsettled period between October 2010 and February 2012, during which time it had a number of Directors and Acting Directors, and I have been advised that this was the reason the Committee did not meet. The current Director decided soon after his appointment that the Committee should be reactivated. This has been done and the Committee, retitled the Risk and Audit Committee, was as at the date of this report scheduled to meet on 25 March At its June 2010 meeting the Audit Committee considered a document entitled Internal Audit Plan , which included a proposal to commission a compliance framework from a major consultancy firm at a cost of $15,000. The proposal stated: The compliance framework sets out a good practice model, enabling organisations to embed compliance into the business making all employees accountable as it allows for continuous improvement in an ever changing business environment. It is not clear whether the compliance framework, if commissioned and implemented, would have focused on compliance with the GCSB Act. It 26

27 is more likely in my view that it would have focused on the full spectrum of legislation that applies to GCSB e.g. the Public Finance Act 1989, the Official Information Act 1982, the Privacy Act 1993, etc. It does, though, seem likely that a review of this kind would have identified gaps in GCSB s compliance framework, and recommended better systems and processes to manage compliance. The proposal, however, was not proceeded with, apparently for cost reasons. Recommendations 51. I recommend that: a. legal compliance be included in GCSB s risk framework; b. the Risk and Audit Committee (which has now resumed) continue to be convened regularly; c. legal compliance be included in the regular reporting to the Risk and Audit Committee. Availability of authoritative guidance and compliance tools at GCSB 52. In any robust compliance regime there needs to be ready access to relevant legal and procedural advice, and information tools that make compliance easier to achieve. What is needed will be different depending on the various positions and roles. 53. At GCSB I found: a. Legal advice: I expected, when I arrived at GCSB, to find easily a collection of all relevant Acts and Regulations, judicial decisions, legal commentary, journals and academic articles. I also expected there to be a collection of legal opinions (internal or provided by the Crown Law Office), kept in a centralised repository and cross-indexed. Even with the assistance of GCSB s IT and Registry staff, and other staff who had worked closely with the DDME, I could not locate this information. The lack of an accessible, centralised and comprehensive repository of legal advice created a risk for the organisation in terms of institutional knowledge, which came to fruition when the DDME went on leave in September 2012 and later resigned. The legal advisors who have arrived since October 2012 have worked to create a more accessible centralised repository of authoritative material and legal precedents. 27

28 b. Operational guidance for the SIGINT operation: Within GCSB, the compliance focus is very much on the Signals Intelligence (SIGINT) operation, which collects foreign intelligence. Almost the entire compliance effort is focused on that part of the business. New Zealand Signals Intelligence Directive 7 (NZSID7) provides useful compliance advice for those in the SIGINT part of the operation. NZSID7 is well understood and is available online on the internal website. It is considered to be completely authoritative and staff rely upon it (much more than the GCSB Act, which is not commonly referred to) to ensure legal compliance in their daily work. GCSB s Compliance Advisor is well versed in NZSID7 and available to provide advice on its interpretation. Unfortunately the version of NZSID7 that was in force when I arrived incorporated some assumptions and interpretations of the GCSB Act that have since been found to be incorrect or at the very least open to serious doubt (see paragraphs 22 to 31 above). NZSID7 has since been reviewed and amended to reflect the legal advice received since the end of September c. Operational guidance for the rest of the Bureau: Parts of the organisation other than SIGINT often do not have the benefit of compliance advice that is specific to their work (unless they are required to access SIGINT tools and databases, in which case they will comply with NZSID7). For example, it is part of the information assurance function to provide expert technical assistance, in certain circumstances and on request, where a government department network appears to have been compromised. In such a situation GCSB responds to a request for assistance from the relevant agency, and provides highly valued expertise. In addition to the legal issues raised at the start of this report, the forensic work that is required may raise privacy issues. I note that there are MOUs between GCSB and the agencies that use GCSB s information assurance services, which oblige GCSB to take all reasonable steps both to protect departmental information and to safeguard the privacy of individual network users in compliance with the Privacy Act Staff undertaking this assurance work are acutely aware of the privacy issues, and do take steps to avoid unnecessarily accessing personal information where they can. The practical guidance they have to follow, however, is limited, which in my view is unsatisfactory. 28

29 d. Precedents, examples and frequently asked questions: A universal theme throughout my discussions with the staff of the Bureau was an express wish for a centralised and authoritative collection of compliance precedents, examples and frequently asked questions. At the moment, information of this sort is scattered throughout the Bureau; held by individuals in personal folders, on the intranet, in a SharePoint database, on the internal wiki and the internal blog site. Some units have developed precedents databases of their own, relevant only to their own area of operation. Some rely on institutional knowledge. GCSB s quarterly report to the Inspector-General of Intelligence and Security (IGIS) dated 26 January 2011 notes: The absence of the Compliance Advisor overseas highlighted the need for a compliance precedents database, where information on previous compliance decisions and points of policy could be accessed. A rudimentary database was set up in anticipation of SharePoint. Although SharePoint has been introduced, the situation is no better now. The information is not consolidated and much of it is out of date. The recent introduction of an Electronic Document and Records Management System (EDRMS) may assist but it will not be a complete answer. Staff are unclear about whether it is their job to compile such information; they are not confident about how to go about it and find it timeconsuming to do. The Compliance Advisor told me that compiling and updating precedents and FAQs is on her work programme but she has not had time to address it. e. Consolidated database: One further matter was raised with me, which involves classified information. That proposal is discussed at Appendix 6. Recommendations 54. I recommend that: a. the legal advisors at GCSB be required to maintain an accessible, centralised repository of authoritative legal material, opinions and legal precedents for reference within the legal team; b. NZSID7 and other operational advice be reviewed regularly to ensure that it remains current and fit for purpose, as part of the assessing and identifying phase of the compliance framework, and be made available to staff in one easily accessed location; 29

30 c. operational guidance be developed for the organisation beyond the SIGINT operation; d. separately from the legal advisors material, there be a centralised repository of useful operational compliance precedents, examples and frequently asked questions, which is authoritative and kept up to date, searchable and cross-referenced and available electronically in a user-friendly format as a resource for the whole Bureau; e. staff not be permitted to keep precedents and compliance advice on their personal drives, because it will become out of date; if they receive a particularly useful opinion or piece of compliance advice they be directed to ask the Compliance Advisor or team to include it in the legal and compliance precedents; f. thought be given to the costs and benefits of a consolidated database, as discussed in classified Appendix 6. Procedures at GCSB 55. The GCSB operation is very complex. There are very many different activities that need to be regulated. There is a range of ways in which communications are intercepted and authorised for interception, and differences (depending on a number of factors) in the ways SIGINT is handled, stored, accessed, processed, produced and disseminated. In some cases under the GCSB Act warrants and authorities are required; in other cases GCSB may conduct its activities without such documentary authorisations. There are differences between the protective and intelligence functions. There is considerable operational interconnection with other agencies, and relationships with both public and private sector entities, and with other intelligence agencies within New Zealand and beyond New Zealand. All of these relationships and factors lead to an extremely complicated compliance landscape. 56. There are some areas of strength in the current systems and processes. Systems and processes tend to be stronger in the Intelligence Directorate, possibly because the more invasive powers of the Bureau (as opposed to the protective functions) have always been recognised as needing careful regulation. Additionally, it seems that GCSB s own guidance on the collection and reporting of foreign intelligence as set out in NZSID7 is accessible and clear. (The only problem is, as discussed earlier, that some basic aspects of NZSID7 were based on some interpretations of the Act that are no longer accepted.) 30